Black Hat USA – Las Vegas – At Black Hat USA, cybersecurity researchers demonstrated how attackers could hijack Gemini agents to control smart home devices, exfiltrate data, and more, using a simple Google Calendar invitation.
Promptware And The New Attack Surface
Ben Nassi (Tel Aviv University), Or Yair (SafeBreach), and Stav Cohen (Technion) demonstrated a series of sneaky prompts hidden in calendar invites on Google’s Gemini for Workspace.
Nassi, a faculty member at Tel Aviv University, explained that Promptware—malicious inputs (text, images, or audio) designed to exploit large language models (LLMs)—has emerged as a critical threat to LLM-powered applications.
Unlike traditional cyberattacks targeting memory corruption, Promptware exploits the LLM’s susceptibility to adversarial inputs, particularly through indirect prompt injection. The researchers debunked myths that such attacks require advanced expertise, GPU clusters, or white-box access, showing that a simple Google Calendar invite can trigger AI agents to change their behavior.
Targeted Promptware Attacks In Action
The team demonstrated 15 exploits targeting Gemini for Workspace, Google’s conversational LLM that integrates with Android apps like Gmail, Google Calendar, and Google Home. All of the attacks were initiated by a Google Calendar invite with a simple prompt injection in the subject line. Key exploits included:
- Spamming and phishing: A calendar invite instructed Gemini to recommend a fake investment opportunity, embedding a malicious link disguised as a legitimate GitHub URL. When users queried their calendar, Gemini pushed the phishing link without user suspicion.
- Toxic content generation: Using a technique called attention override, the team replaced Gemini’s default response (“Here are your events for this week”) with toxic or malicious text abusing the victim.
- Calendar manipulation: A prompt injection caused Gemini to delete random calendar events when users queried their schedule, without displaying the calendar.
- IoT device control: By exploiting delayed tool invocation, the team bypassed Google’s agent-chaining restrictions. A calendar invite instructed Gemini to activate Google Home tools (e.g., opening windows or turning on a boiler) when users said “thanks.” This instruction was hidden behind the calendar’s “show more” button. The threat researchers shared a video of this working in action, with the Gemini closing the windows after being tricked by these hidden prompts.
- Geolocation and video streaming: Using Android Utilities, the team could open websites to geolocate victims via IP addresses or open apps (e.g., opening Zoom to stream videos of victims without consent, bypassing URL validation via HTTPS redirects).
- Data exfiltration: A Gmail-based prompt injection appended email subjects (e.g., “Series C round $50M”) to a malicious URL, exfiltrating data when users queried their inbox and responded with trigger words like “thanks.”
- Worm propagation: By exfiltrating email addresses and sending malicious calendar invites, the team demonstrated that attacks could potetnailly create a worm targeting Gemini for Workspace users, enabling more attacks to take place.
These exploits demonstrated inter-agent lateral movement (triggering actions across Gemini’s agents) and inter-device lateral movement (escaping Gemini to control apps like Zoom or Google Home). The team demonstrated this could lead to real world actions, like opening your smart windows, or switching on your smart appliances.
Risk Assessment And Practicality
Using a custom threat analysis and risk assessment (TARA) framework, the team evaluated the practicality and impact of these attacks. Key findings:
- Practicality: Attacks require minimal equipment (a smartphone), basic expertise, and only the victim’s email address. They take seconds to initiate via a calendar invite and exploit frequent user interactions (e.g., checking emails or calendars). Result: “very likely” practicality.
- Impact: Threats cause severe privacy, financial, and operational damage, with 73% classified as high-to-critical risk, necessitating immediate mitigations.
Google’s Response And Mitigations
The researchers disclosed their findings to Google in February 2025. Google deployed multi-layered mitigations, detailed in a June 2025 blog post, including enhanced prompt injection defenses and validations. They also awarded the team a bug bounty.
Takeaways For Securing LLMs
The team urged organizations to reassess Promptware risks using their TARA methodology. The key points to know are:
- Promptware’s practicality: Unlike traditional cyberattacks, Promptware requires minimal resources and exploits user trust in LLM assistants.
- Physical and lateral impacts: Promptware can affect physical devices (e.g., IoT) and enable lateral movement across agents and applications.
- Future threats: Expect zero-click and untargeted Promptware variants (e.g., via YouTube) that exploit automatic inferences without prior system knowledge.
The full study, including all 15 exploits, is available here.
